I know this is an odd one but I was wondering if anyone has run into the issue or had to configure a way to block the legacy RDP app from being used to access the AVD host pool? We have a client that the IT contacts are knowledgable enough to be dangerous. You guys all know the type. And despite our repeated discussion around not using the legacy app and RDP direct to the IP we know they are still using it.Does anyone have a nest practice to block this app from accessing the AVD hosts?
Block Legacy RDP
0
I feel your pain. It's often difficult to transition "Shadow IT" into an MSP Managed world.
Almost as difficult as balancing the relationship in a "co-managed" environment.
There are a few things you could try, but I'm not sure if any of them will be particularly effective depending on how "determined" the user is . . .
- Talk to the user about the security risks in not going through the AVD Gateway
- Rename the MSTSC.exe file on their computer or create a custom AV/EDR policy to block it from executing
- Setup an NSG to only allow connections from Azure IPs (or block RDP from the client's office) since all you need for the client to work is TCP 443 (Required FQDNs and endpoints for Azure Virtual Desktop | Microsoft Learn)
- Put a DHCP reservation for their computer so you can block their IP on the AVD Hosts using Windows FireWall
- Move the customer fully to the cloud and use cloud printing (i.e. Universal Print, Printix, Printerlogic, etc.) so there's not a need for a S2S VPN and removing their ability to RDP to the IP
- Create an elaborate host replacement process where the AVD host gets a different name and IP every day, so it becomes more effort to connect through the Legacy RDP client.
Please let us know what ends-up working for you.
I'm sure others are/will-be in a similar situation at some point in the future.
Please sign in to leave a comment.
Comments (1 comment)